Description
Insufficient policy enforcement in DevTools in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
Published: 2026-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Navigation Bypass
Action: Patch
AI Analysis

Impact

A flaw in Chrome's DevTools allowed a remote attacker to bypass navigation restrictions by loading a crafted HTML page. The vulnerability is caused by insufficient policy enforcement, enabling navigation to URLs that should otherwise be blocked. This flaw falls under an authorization control weakness, exposing the ability to override normal navigation restrictions.

Affected Systems

Users running Google Chrome versions earlier than 146.0.7680.71 on Windows, macOS, or Linux operating systems are affected. The issue is specific to the Chrome browser and can impact any user who opens a malicious page that triggers the DevTools feature. Updating to version 146.0.7680.71 or newer resolves the problem.

Risk and Exploitability

The flaw carries a CVSS score of 4.3, classified as low severity, and an EPSS score indicating an exploitation probability of less than one percent. It is not listed in CISA’s Known Exploited Vulnerabilities catalog. Because the attacker can trigger the issue from a web page that a user visits, the likely vector is remote web-based. The low score suggests a minimal probability of widespread exploitation, yet the ability to navigate to restricted URLs warrants timely remediation.

Generated by OpenCVE AI on April 16, 2026 at 09:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Google Chrome to version 146.0.7680.71 or newer.
  • If an immediate update is not possible, restrict or disable DevTools usage for non‑administrator users via Chrome enterprise policies to prevent navigation bypasses.
  • Monitor for attempted navigation to restricted URLs from DevTools and audit browser logs for abnormal activity.

Generated by OpenCVE AI on April 16, 2026 at 09:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6164-1 chromium security update
History

Mon, 16 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Linux
Linux linux Kernel
Microsoft
Microsoft windows

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Fri, 13 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title chromium-browser: Insufficient policy enforcement in DevTools
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Low

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google chrome
Vendors & Products Google
Google chrome

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description Insufficient policy enforcement in DevTools in Google Chrome prior to 146.0.7680.71 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
References

Subscriptions

Apple Macos
Google Chrome
Linux Linux Kernel
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: Chrome

Published:

Updated: 2026-03-14T03:20:39.940Z

Reserved: 2026-03-11T05:54:15.429Z

Link: CVE-2026-3940

cve-icon Vulnrichment

Updated: 2026-03-14T03:20:33.344Z

cve-icon NVD

Status : Modified

Published: 2026-03-11T22:16:36.680

Modified: 2026-03-16T14:19:54.890

Link: CVE-2026-3940

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-10T00:00:00Z

Links: CVE-2026-3940 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:30:06Z

Weaknesses